NoticeBored’s unique approach

We are well aware that NoticeBored is not your only option. What sets us apart from more traditional approaches to security awareness is that we are setting the benchmark, constantly innovating and finding novel ways to make employees aware, motivating them to change their behaviors, generating a security culture and realizing valuable business benefits.

Here’s how ...

Traditional approach

NoticeBored

Either do nothing at all (!), or hold an annual “awareness training session”
(typically a lecture at staff by management)

Inform and motivate staff, managers and professionals through multiple formal and informal communications channels and mechanisms
running in parallel all-year-round

Circulate fresh awareness content every month in a range of formats (including new posters!) so there’s always something
interesting and relevant to catch the eye

Cover security issues that are so last-year

Pick up on topical news and events more or less as they unfold; find out how to deal with emerging issues, novel threats and vulnerabilities,
today’s challenges

Get the go ahead, develop the awareness materials and eventually launch the awareness program
with a bang ... but soon run out of steam

Launch the program now! Quickly establish a high level of awareness and keep it rolling forward indefinitely, drawing from the
flowing stream of creative energy

Cover a confusing mess of issues all at once,superficially due to time constraints

Stick to a single, relevant information security topic each month, seizing the opportunity go into more depth as appropriate to each audience

Keep to the basics such as viruses and passwords

Cover more than 60 topics from different perspectives, reflecting current information risks and topical security issues

Address compliance obligations - no more, no less

Broaden the outlook beyond legal and regulatory compliance to take in good security practices from across the globe plus strategic and tactical
objectives from within the corporation, including corporate policy and contractual compliance

Broadcast management edicts and security instructions at staff

Encourage feedback and interaction from employees and engage with them by treating them as sentient beings rather than merely passive recipients of information

Deliver a random assortment of sometimes contradictory messages, written by a variety of authors
with differing styles, preconceptions knowledge and objectives

Integrate the awareness materials into a coherent, consistent, high quality and instantly-recognizable branded campaign

Think of “security awareness”as an end in itself

Understand that security awareness is merely a means to an end: the real objective is to create genuine behavioral changes that cut costs, increase assurance and enable the business to do things that would otherwise be too risky

Tell staff to comply with “the rules” for information security as defined by
management “or else!”

Help everyone (managers, staff and professionals) understand their respective security obligations; explain the security
rationale; offer practical and relevant guidance in their own terms and familiar language

Try to sack those who break the rules, but run into trouble with the lawyers or unions because
“the rules weren’t clear” or they “aren’t enforced”

Markedly improve security governance; ensure that everyone, at all levels, is aware of and understands their obligations; hold people personally accountable for their actions and inactions

Send staff away on security training courses and awareness sessions with no follow-up support

Raise security awareness without interrupting normal work; encourage people to seek out additional informative resources (as much pull as push, carrot and stick)

Communicate either in a formal, stuffy and stilted style, or else a superficial, rather offhand
style using childish cartoon graphics and weak jokes

Use a full range of formal and informal communications styles and methods to suit the various adult audiences and messages,
maintaining a professional business-like approach throughout

Employ cybersecurity professionals (if they have the time and competence) or costly technical authors (trained to
write technical manuals in a technical style) to write information security materials for everyone

Utilize the services of professional authors, well-qualified and experienced professional security awareness specialists, creating creative materials to
a consistently high quality camera-ready’ standard for a fraction of the cost

Aim the security awareness materials squarely at “end users” (meaning IT users),
more-or-less completely ignoring other audiences throughout the organization

Engage people - all employees, not just computer users, at all levels - through
an inclusive program giving appropriate guidance meeting their particular information needs

Supplement online/electronic delivery with a wide variety of awareness activities and techniques, exploiting social media and corporate social
networking opportunities for face-to-face interactions between workers and information security plus other professional specialists

Blindly hope that awareness messages will all sink-in and register

Measure awareness objectively through surveys and tests, using the data to fine-tune the awareness program month-by-month

Promise quick results from the awareness program and disappoint management when things don’t improve as
fast as you’d hoped

Anticipate that genuine cultural change is a slow process; lead management and staff on the same journey to enlightenment

Pick someone junior from Information Security or Training to design and run the program, or
“get someone in”

Draw on the professional expertise and energy of experienced security awareness specialists without the overheads and costs of
recruiting, employing and managing them

Run the program purely as an internal IT activityinvolving limited in-house skills and
resources

Tap into the resources of all parts of the organization e.g. Information Security, Site Security, HR, Risk Management, Audit,
Legal and Compliance; treat information security as first and foremost a business issue, not limited to technology or IT

In relation to setting the benchmark, some but not all of our inventions, including concepts that have been central to NoticeBored for more than a decade, have since mysteriously found
their way into competitors’ offerings. They say imitation is the sincerest form of flattery, so we consider ourselves duly flattered! Nevertheless, we prefer to lead than to be led. We don’t follow
industry trends so much as set them. Originality and quality will always define our products and differentiate us from the pack. We continue to innovate at every opportunity, frequently introducing new awareness topics and different types of engaging and creative awareness material. If you have a novel or unusual security
awareness idea, do get in touch. Together, we can bring good ideas to fruition.